4 minute read
What the private sector can learn from militaries about the convergence of cyber and physical threats
Physical security and information security teams don’t traditionally play that well together. In the face of evolving converged security threats, writes chief editor Nicholas Dynon, that needs to change.
I’ve written about security convergence for some time, but it’s not a topic that seems to elicit waves of engagement from the business world. It’s as if corporate security and risk managers (CSOs, CISOs and the like) have some awareness that the threats they’re increasingly facing are not just cyber or physical but both… but they’re struggling to make sense of it.
Conversely, many militaries and national security apparatuses have been positioning themselves to compete in hybridised cyber-physical battlespaces for some time. Maybe private sector organisations can draw some cold inspiration from what’s been happening in the geopolitical space.
Militaries and the hybridisation of threats
In the world of geopolitics and international relations, the emergence of hybrid digital-physical security threats is widely acknowledged. Most of us know something, for example, of the 2010 Stuxnet attack, the 2015 Ukrainian power grid hack, ISIS online propaganda, and interference in the 2016 US elections by statebased interests.
What these examples have in common is the deployment of digital or cyber capabilities in order to achieve physical – or real world – objectives. And it can go the other way too: physical capabilities can be deployed to wreak havoc on IT platforms, to destroy telecommunications infrastructure, or to extract digitally stored information.
These hybridised threats reflect a shift in the way that states (and some non-state actors) compete with each other; how they engage in conflict. It is now widely understood by strategic and military affairs scholars that the emergence of digital-physical threats has led to a new era of conflict no longer defined by open declarations of war or traditional rules of engagement.
In the emerging era of ‘smokeless battlefields’, ‘soft conflict’, and ‘hybrid war’, states engage within a continuous state of hybridised kinetic/ non-kinetic conflict. As a result, in addition to the traditional military domains of maritime, land and air, several militaries have recognised that the ‘information domain’ is now a space within which they must operate.
Accordingly, a number of countries’ militaries have established information or cyber forces to complement their existing (physical/ kinetic) warfighting units.
In the case of New Zealand, rather than establishing a discrete cyber force, the New Zealand Defence Force (NZDF) has gone down the route of establishing an information domain within its structure that will provide enhanced capability to units that comprise its established maritime, land and air forces.
Having recognised the evolving nature of contemporary conflict, militaries are developing hybridised structures and capabilities in response. What about private sector organisations?
Security convergence in the private sector
There appears to be strong consensus that – despite ample evidence of the devastating effect of hybrid threats in both the geopolitical and corporate realms – most private sector organisations still maintain their digital/cyber security and physical security functions in distinct silos.
According to the US Cybersecurity and Infrastructure Security Agency, “physical security and cybersecurity divisions are often still treated as separate entities. When security leaders operate in these siloes, they lack a holistic view of security threats targeting their enterprise. As a result, attacks are more likely to occur”.
It’s a perspective reiterated by PricewaterhouseCoopers. “Many of the conventional physical and information security risks are viewed in isolation,” states a PwC document titled Convergence of Security Risks. “These risks may converge or overlap at specific points during the risk lifecycle, and as such, could become a blind spot to the organisation or individuals responsible for risk management.”
The ASIS Foundation study The State of Security Convergence in the United States, Europe, and India has found that despite “years of predictions about the inevitability of security convergence, just 24 percent of respondents have converged their physical and cybersecurity functions.”
Heads in the sand?
Despite the hybridisation of conflict being widely acknowledged by governments at the geopolitical level, it appears that private sector organisations are taking their time to adjust to this 21st century 4th industrial revolution reality.
The convergence of security threats can take the form of something as simple as a malevolent actor masquerading as a worker and tailgating a bona fide employee through a physical access control system in order to launch a cyberattack via an unattended workstation. It could be a cyber backdoor on an unpatched IP enabled CCTV camera exploited to gather intelligence in relation to an organisation’s physical defences.
In the main, an organisation’s cyber/information security team tends to be a world apart – both culturally and operationally – from its physical security team. They tend to have separate reporting lines, and they don’t tend to work that well together. This is exactly the type of situation the hybridised threats of today can exploit… and will increasingly exploit.
We need to be smashing the organisational siloes that have been keeping organisations’ digital and physical functions apart. We need to converge our structures and our security responses in order to address converged security threats.
It’s not easily done, as there are organisational boundaries that will need re-drawing, organisational cultures that will need reengineering, and traditionalists that will need re-educating. But it has to be done.
